hardfail: This client is explicitly not authorized to inject or
relay mail using the sender's DNS domain.

It should say:

fail: This client is explicitly not authorized to inject or
relay mail using the sender's DNS domain.

Notes:

Change [sixth paragraph] for consistency:
1) RFC 4408 (SPF) defines this state as "fail", not "hardfail".
2) The other subsections of 2.4 of this RFC define "fail".
The change makes the result state consistent and parallel to those as noted in other RFCs and for the alternative methods defined in this RFC.

So I think the "reasonspec" is here "(good signature)" and "(bad signature)". All other examples show similar entries for "reasonspec".

[Verifier's note:
This change is INCORRECT. The free-form parenthesized comments are actually part of the "CFWS" production. The confusion is caused by having no examples that use the "reasonspec" production, and that should be fixed if the document is updated.]

The corrected example shows how an MSA may prove that it handled submission by signing an A-R field. (I reordered the header, changed host names, changed A-R fields, removed i=, and added A-R in h=)

Some text in the same section may need minor revision. In particular, SPF pass, host name, senderid, and the origin of the DKIM key (in the corrected example, example.net may well be a MUA, while example.com has separate MSA and MX hosts.)

RFC 6577 (March 2012) indicates that it updates 5451, but 5451 does not indicate it is updated. This update is the same as errata ID 2617 (date reported 2010-11-09).
--VERIFIER NOTES--
The "updated by" information is in the metadata for the RFC, and that metadata is correct (see the version in the datatracker: https://datatracker.ietf.org/doc/rfc5451/ ). The text of an RFC does not change once it's published.